draeath1d ago
Alexandre Dulaunoy

If someone comes to me today preaching about “post-quantum” security issues, I’ll remind them of the current state of security: the npm ecosystem gets abused daily, CI pipelines run left and right with full access to cloud services, so-called security devices like F5 and Ivanti are exposed (and compromised) to the internet, mailboxes get compromised just to change an IBAN in a PDF, and a simple phone call is still enough to get someone to hand over an MFA code.

But yes, by all means, let’s focus on post-quantum threats while handing AI tools SSH access like it’s a feature, not a confession.

#cybersecurity #stateoftheworld

Mar 31 at 5:41amWeb
Show threadMaxime Verac1d ago
@adulau Thank you! And for many org, PQC issues should not even be in their threat model. But that's probably a sexy name to get some attention and budget, but indeed, should not make it into the priority list for most org...
Show threadSerge Droz1d ago

@adulau Quantum Computing is the new block chain.

But let's face it: It's easier to babble about fuzzy threats than do something about existing ones, be this in IT-Security or Climate change. The former makes you important in a linkedin sense, the later is actually hard work.

Show threadstuartwest1d ago
@adulau based take
Show threadPseudo Nym1d ago

@adulau

Thank you.

I've been advocating for spend on the basics of security hygiene.

Get all your employees an enterprise license for a password manager, spring for hardware 2FA keys if your workflows support them. Audit external attack surfaces, like exposed AWS buckets. Drop a secret scanner into your CI/CD pipeline. Have an accurate asset inventory.

All of these are cheaper than the new shiny whatever, and have real world, measurable impact.

Thanks for coming to my talk.

#infosec